Blog Games GitHub Twitter
[ Blog ]

2 weeks ago

TrustArc is violating GDPR

TrustArc, a company which provides GDPR compliance systems, is in blatant violation of the GDPR.

TrustArc is one of many companies which provides the classic “Agree to cookies / More options” jumbotrons that litter the internet these days. You may be aware of the company under its former name, TRUSTe.

Notice the “Powered by TrustArc” in the bottom-right corner. You’ll recognise the flavour of these cookie notices if you’ve been through more than one or two - though they take several different forms. Some have the little toggle switches, some have a different selection of buttons - presumably to make them feel differentiated from one another.

Now, if you look very closely at the cookie notice in the picture above, you may notice something a little suspicious. I only noticed this after committing to the blog post, so it’s not the main topic. See if you can spot it before looking at the picture below. (If you have JavaScript enabled, there’s a button to show it)

Yes, that’s a cookie for Microsoft Advertising in the “necessary cookies” section. It’s possible that this is a simple mischaracterisation of a MS-powered login. However there’s also one or more for SiteImprove, which is a company that provides an analytics platform; again, described as a necessary cookie despite the domain literally having analytics in the name. Not much plausible deniability there, I’m afraid.

(In case you are wondering, this particular example is from LinkLaters, which officially hosts information about the incoming ePrivacy Regulation, due to replace the “cookie law” at some point in the near future. Ho hum.)

But anyway, that wasn’t actually the point of this article. The point was to highlight a different way that TrustArc’s “GDPR compliance” is violating GDPR.

The relevant line in the summary of the cookie regulations is highlighted below.

TrustArc provide a very interesting service in relation to this last point (highlighted). On some websites, pressing the “save preferences” button will create a honest-to-god pop-up window of all things, which then sets a spinner going with a message “This may take up to a few minutes to process.”

Some sites embed this “processing preferences” window in a dialog box instead of a pop-up, meaning that you can’t go on to read the content until it has completed its little dance in its entirety.

This is clearly intended as a trap for those less knowledgeable with computers. Anyone with an ounce of tech nouse will be aware that it does not take “up to a few minutes” to save this much information to a database. Indeed, taking more than a couple of milliseconds would be grounds to declare the entire development team incompetent; on the order of seconds to minutes takes us way past “incompetent” and deep into “overtly malicious” territory.

The result and the goal of this software is to make exercising your right to privacy feel bad. By adding these small bumps in the road, it makes giving up and hitting “accept all” into the path of least resistance for many people. This is entirely contradictory to the purpose of the Regulations that the EU has put in place, and should be treated as an act of contempt in the face of the legislation.

Of course, it will surprise nobody that the preference-saving charade takes suspiciously close to exactly 30 seconds to complete. Almost as if it were some kind of artificial delay…

Oh, and what’s this? It doesn’t have the same delay when you simply decide to accept all cookies? How very shocking. And completely unintentional, I’m sure. u/PresentAppointment0 documents this behaviour on r/assholedesign, but it’s very easy to go and test it for yourself.

So, why is this unlawful? The cookie law explicitly states that it must be as easy to withdraw consent as it is to give consent. Given the evidence above, it is entirely clear that withdrawing your consent for non-functional cookies is considerably more difficult than giving your consent. There are few examples more clear-cut.

Now, not all websites with cookie consent managers powered by TrustArc exhibit this behaviour (for example, LinkLaters, the site pictured at the top of the site did not - but Forbes and ProQuest are two examples which seem to invoke the delay). If anyone has access to the backend, I’d be interested to find out whether this is a per-site setting that clients can choose.

I’m not sure why TrustArc’s clients believe that this is a lawful move - possibly by some misinterpretation of the phrase “withdraw consent” based on an uncharitable reading of the regulations. Breach of cookie-related provisions of the regulation can result in fines of up to €10m or 2% of annual worldwide turnover. It’s unlikely that TrustArc would be liable directly, but any affected website would have a good chance in court recouping those expenses if TrustArc have claimed to provide regulatory compliance. Indeed, it may be the case that big businesses are using TrustArc as a scapegoat in order to continue their unsavoury practices in the light of day.

Here’s hoping that someone sees through this long enough to actually act against them in court. In the meantime, I would strongly recommend that you avoid using any websites which employ TrustArc’s malicious code, and, if you have the spare time, contact the client companies that you care about to inform them that their parasitic, non-compliant, hostile practices are bad for business and consumer alike.

[ Blog ]